Here's info obtained from the same client using openssl, you can se that subject CN is fine.
localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null | openssl x509 -inform pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 536805412 (0x1fff0024) Signature Algorithm: sha256WithRSAEncryption Issuer: O = FISICA.CABIB, CN = Certificate Authority Validity Not Before: Jul 14 14:25:06 2020 GMT Not After : Jul 15 14:25:06 2022 GMT Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a: a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b: fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6: 4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9: db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5: 14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93: fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68: db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76: 0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85: 6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db: ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4: a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46: 65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79: 3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2: 63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d: fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c: d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d: ef:ab Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32 Authority Information Access: OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin CRL Issuer: DirName:O = ipaca, CN = Certificate Authority X509v3 Subject Key Identifier: 3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D X509v3 Subject Alternative Name: othername: UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername: 1.3.6.1.5.2.2::<unsupported> Signature Algorithm: sha256WithRSAEncryption Signature Value: b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15: a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37: ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d: bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92: 1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f: 6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b: e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7: 91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49: 66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48: c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba: 5d:c0:76:44:a4:3c:28:73:03:8a:a8:e8:ec:f4:2d:e4:c3:4f: 77:50:7f:84:4b:10:ff:8b:55:af:7d:db:99:80:09:e3:a6:17: 68:26:46:93:40:38:a8:60:c8:20:5a:3f:aa:3e:aa:a2:ed:5b: 38:d1:c0:f7:de:f4:cf:45:f2:77:41:0b:9a:45:0e:eb:15:03: dd:92:d4:68 localadmin@fisica75:~$ And more info obtained with curl: localadmin@fisica75:~$ curl --insecure -vvI https://ipaserver.fisica.cabib * Trying 10.reda.cted.ip:443... * Connected to ipaserver.fisica.cabib (10.reda.cted.ip) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: O=FISICA.CABIB; CN=ipaserver.fisica.cabib * start date: Jul 14 14:25:06 2020 GMT * expire date: Jul 15 14:25:06 2022 GMT * issuer: O=FISICA.CABIB; CN=Certificate Authority * SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > HEAD / HTTP/1.1 > Host: ipaserver.fisica.cabib > User-Agent: curl/7.81.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently < Date: Fri, 27 May 2022 13:53:28 GMT Date: Fri, 27 May 2022 13:53:28 GMT < Server: Apache/redactedversion Server: Apache/redactedversion < Location: https://ipaserver.fisica.cabib/ipa/ui Location: https://ipaserver.fisica.cabib/ipa/ui < Content-Type: text/html; charset=iso-8859-1 Content-Type: text/html; charset=iso-8859-1 < * Connection #0 to host ipaserver.fisica.cabib left intact Also attached public cert El vie, 27 may 2022 a la(s) 10:20, Rob Crittenden (rcrit...@redhat.com) escribió: > Gustavo Berman via FreeIPA-users wrote: > > Hello there! > > > > Ubuntu 18.04 (and previous ones) works just fine > > In Ubuntu 22.04 I'm trying to execute ipa-client install but it fails > with: > > > > root@fisica75:~# ipa-client-install > > This program will set up IPA client. > > Version 4.9.8 > > > > WARNING: conflicting time&date synchronization service 'ntp' will be > > disabled in favor of chronyd > > > > Discovery was successful! > > Do you want to configure chrony with NTP server or pool address? [no]: > > Client hostname: fisica75.fisica.cabib > > Realm: FISICA.CABIB > > DNS Domain: fisica.cabib > > IPA Server: ipaserver.fisica.cabib > > BaseDN: dc=fisica,dc=cabib > > > > Continue to configure the system with these values? [no]: yes > > Synchronizing time > > No SRV records of NTP servers found and no NTP server or pool address > > was provided. > > Using default chrony configuration. > > Attempting to sync time with chronyc. > > Time synchronization was successful. > > User authorized to enroll computers: tavo > > Password for tavo@FISICA.CABIB: > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=FISICA.CABIB > > Issuer: CN=Certificate Authority,O=FISICA.CABIB > > Valid From: 2014-01-14 12:56:57 > > Valid Until: 2034-01-14 12:56:57 > > > > Enrolled in IPA realm FISICA.CABIB > > Created /etc/ipa/default.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm FISICA.CABIB > > cannot connect to 'https://ipaserver.fisica.cabib/ipa/json': [SSL: > > CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, > > certificate is not valid for 'ipaserver.fisica.cabib'. (_ssl.c:997) > > The ipa-client-install command failed. See > > /var/log/ipaclient-install.log for more information > > root@fisica75:~# > > > > There is no Hostname mismatch for the server certificate. It has been > > working just fine for years with multiple distros as clients. I can > > access the website with the same URL and cert is just fine. > > > > The error message is pretty clear and comes out of openssl. Can we see > the web server certificate from that host? Can you confirm that the host > the client connected to is actually this host (e.g. DNS or /etc/host > issues)? > > rob > > -- Gustavo Berman Sysadmin - Gerencia de Física - Centro Atómico Bariloche - CNEA
ipaserver.fisica.cabib.pem
Description: application/x509-ca-cert
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure